diff --git a/internal/cri/nri/nri_api_linux.go b/internal/cri/nri/nri_api_linux.go index c6f1a0e5136a..374dcae1a714 100644 --- a/internal/cri/nri/nri_api_linux.go +++ b/internal/cri/nri/nri_api_linux.go @@ -1013,10 +1013,36 @@ func (c *criContainer) GetSysctl() map[string]string { return maps.Clone(c.spec.Linux.Sysctl) } +func (c *criContainer) GetSeccompPolicy() *api.LinuxSeccomp { + if c.spec.Linux == nil || c.spec.Linux.Seccomp == nil { + return nil + } + + return api.FromOCILinuxSeccomp(c.spec.Linux.Seccomp) +} + func (c *criContainer) GetPid() uint32 { return c.pid } +func (c *criContainer) GetRlimits() []*api.POSIXRlimit { + if c.spec == nil { + return nil + } + + var rlimits []*api.POSIXRlimit + + for _, l := range c.spec.Process.Rlimits { + rlimits = append(rlimits, &api.POSIXRlimit{ + Type: l.Type, + Hard: l.Hard, + Soft: l.Soft, + }) + } + + return rlimits +} + // // conversion to/from CRI types // diff --git a/internal/cri/server/container_checkpoint_linux.go b/internal/cri/server/container_checkpoint_linux.go index b54963ae8676..de6f287f7998 100644 --- a/internal/cri/server/container_checkpoint_linux.go +++ b/internal/cri/server/container_checkpoint_linux.go @@ -488,7 +488,7 @@ func (c *criService) CheckpointContainer(ctx context.Context, r *runtime.Checkpo if state != runtime.ContainerState_CONTAINER_RUNNING { return nil, fmt.Errorf( "container %q is in %s state. only %s containers can be checkpointed", - r.GetContainerId(), + container.ID, criContainerStateToString(state), criContainerStateToString(runtime.ContainerState_CONTAINER_RUNNING), ) @@ -515,11 +515,11 @@ func (c *criService) CheckpointContainer(ctx context.Context, r *runtime.Checkpo task, err := container.Container.Task(ctx, nil) if err != nil { - return nil, fmt.Errorf("failed to get task for container %q: %w", r.GetContainerId(), err) + return nil, fmt.Errorf("failed to get task for container %q: %w", container.ID, err) } - img, err := task.Checkpoint(ctx, []client.CheckpointTaskOpts{withCheckpointOpts(i.Runtime.Name, c.getContainerRootDir(r.GetContainerId()))}...) + img, err := task.Checkpoint(ctx, []client.CheckpointTaskOpts{withCheckpointOpts(i.Runtime.Name, c.getContainerRootDir(container.ID))}...) if err != nil { - return nil, fmt.Errorf("checkpointing container %q failed: %w", r.GetContainerId(), err) + return nil, fmt.Errorf("checkpointing container %q failed: %w", container.ID, err) } // the checkpoint image has been provided as an index with manifests representing the tar of criu data, the rw layer, and the config @@ -542,7 +542,7 @@ func (c *criService) CheckpointContainer(ctx context.Context, r *runtime.Checkpo return nil, fmt.Errorf("failed to unmarshall blob into checkpoint data OCI index: %w", err) } - cpPath := filepath.Join(c.getContainerRootDir(r.GetContainerId()), "ctrd-checkpoint") + cpPath := filepath.Join(c.getContainerRootDir(container.ID), "ctrd-checkpoint") if err := os.MkdirAll(cpPath, 0o700); err != nil { return nil, err } @@ -551,7 +551,7 @@ func (c *criService) CheckpointContainer(ctx context.Context, r *runtime.Checkpo // This internal containerd file is used by checkpointctl for // checkpoint archive analysis. if err := c.os.CopyFile( - filepath.Join(c.getContainerRootDir(r.GetContainerId()), crmetadata.StatusFile), + filepath.Join(c.getContainerRootDir(container.ID), crmetadata.StatusFile), filepath.Join(cpPath, crmetadata.StatusFile), 0o600, ); err != nil { @@ -561,7 +561,7 @@ func (c *criService) CheckpointContainer(ctx context.Context, r *runtime.Checkpo // This file is created by CRIU and includes timing analysis. // Also used by checkpointctl if err := c.os.CopyFile( - filepath.Join(c.getContainerRootDir(r.GetContainerId()), stats.StatsDump), + filepath.Join(c.getContainerRootDir(container.ID), stats.StatsDump), filepath.Join(cpPath, stats.StatsDump), 0o600, ); err != nil { @@ -571,7 +571,7 @@ func (c *criService) CheckpointContainer(ctx context.Context, r *runtime.Checkpo // The log file created by CRIU. This file could be missing. // Let's ignore errors if the file is missing. if err := c.os.CopyFile( - filepath.Join(c.getContainerRootDir(r.GetContainerId()), crmetadata.DumpLogFile), + filepath.Join(c.getContainerRootDir(container.ID), crmetadata.DumpLogFile), filepath.Join(cpPath, crmetadata.DumpLogFile), 0o600, ); err != nil { @@ -645,7 +645,7 @@ func (c *criService) CheckpointContainer(ctx context.Context, r *runtime.Checkpo containerCheckpointTimer.WithValues(i.Runtime.Name).UpdateSince(start) - log.G(ctx).Infof("Wrote checkpoint archive to %s for %s", outFile.Name(), r.GetContainerId()) + log.G(ctx).Infof("Wrote checkpoint archive to %s for %s", outFile.Name(), container.ID) return &runtime.CheckpointContainerResponse{}, nil } diff --git a/internal/nri/container.go b/internal/nri/container.go index c7980367618c..ab1cd14eab7c 100644 --- a/internal/nri/container.go +++ b/internal/nri/container.go @@ -47,6 +47,7 @@ type Container interface { GetHooks() *nri.Hooks GetLinuxContainer() LinuxContainer GetCDIDevices() []*nri.CDIDevice + GetRlimits() []*nri.POSIXRlimit } type LinuxContainer interface { @@ -61,6 +62,7 @@ type LinuxContainer interface { GetRdt() *nri.LinuxRdt GetSeccompProfile() *nri.SecurityProfile GetSysctl() map[string]string + GetSeccompPolicy() *nri.LinuxSeccomp } func commonContainerToNRI(ctr Container) *nri.Container { @@ -82,6 +84,7 @@ func commonContainerToNRI(ctr Container) *nri.Container { StartedAt: status.StartedAt, FinishedAt: status.FinishedAt, ExitCode: status.ExitCode, + Rlimits: ctr.GetRlimits(), } } diff --git a/internal/nri/container_linux.go b/internal/nri/container_linux.go index a0bb93cd4d23..a956ee8fa7d0 100644 --- a/internal/nri/container_linux.go +++ b/internal/nri/container_linux.go @@ -37,6 +37,7 @@ func containerToNRI(ctr Container) *nri.Container { Rdt: lnxCtr.GetRdt(), SeccompProfile: lnxCtr.GetSeccompProfile(), Sysctl: lnxCtr.GetSysctl(), + SeccompPolicy: lnxCtr.GetSeccompPolicy(), } return nriCtr }